Hot!FortiClient compliant but no access to data

Author
Maarten87
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/12 05:29:54
  • Status: offline
2019/03/12 06:02:05 (permalink)
0

FortiClient compliant but no access to data

Hi All,
 
Not sure if this is the correct place to ask, but i hope someone might be able to assist.
In our current configuration, we are using Forticlient 6.0.3. They connect to a FortiGate 61E using SSL VPN.
Some of our users are getting issues, that when they are working from home, they cannot access our company's network.
We have multiple people with the same problem.
 
Below is one of many issues we are facing at the moment:
Person is in the office. Connects to our WIFI, which is not part of our internal network. Connects SSL VPN and is compliant. Can access our internal network.
 
Person is at home. Connects to their home WIFI, which is not part of our internal network. Connects via SSL VPN and is compliant. Can not access our internal network.
 
We are also facing below issue:
Person is at home. Connects to their home WIFI, which is not part of our internal network. Connects via SSL VPN and is compliant according to the client and the admin portal from Fortigate. Can not access our internal network.
If i start a internet browser on above client, it states that it is not compliant and that it has detected Forticlient version "0.0.0".
 
Hope someone is able to assist, as this it pretty critical. Makes working from home impossible.
#1

15 Replies Related Threads

    SteveG
    Gold Member
    • Total Posts : 176
    • Scores: 12
    • Reward points: 0
    • Joined: 2014/11/19 00:26:22
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 01:24:51 (permalink)
    0
    We don't use the Compliance feature but the SSL VPN is rock solid for us. Whether that's using FortiClient or one of the Linux SSL VPN clients. What version of code is the FortiGate running?
    #2
    Maarten87
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/12 05:29:54
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 01:48:34 (permalink)
    0
    Hi,
    FortiGate is running on FortiOs version: FortiOS v5.6.8 build1672 (GA)
    it is very strange as, some users(not all) reported that the next day for example, it is working again from home.
     
    Yesterday i had a colleague who was working from home. good WIFI signal. Started VPN and made connection, everything went fine. FortiClient showed he was compliant. I checked Fortigate admin panel - under Forticlient Monitor and it showed he was compliant. I open a browser and the forticlient page pops up stating that it is not compliant because it detected version 0.0.0. We have it set so people need to have version 6.0.2. This person has version 6.0.3 so it should work. He also tried this through hotspot via phone. Same story.
    In the end i couldn't fix the VPN issue......
     
    Today, i am checking this same user, and he is working fine through VPN today. No changes have been made on either our side or the user's side.
    #3
    SteveG
    Gold Member
    • Total Posts : 176
    • Scores: 12
    • Reward points: 0
    • Joined: 2014/11/19 00:26:22
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 02:01:14 (permalink)
    0
    Sounds like a compatibility issue between FortiGate OS and the FortiClient version. I'll see if there's a compatibility chart somewhere.
    #4
    SteveG
    Gold Member
    • Total Posts : 176
    • Scores: 12
    • Reward points: 0
    • Joined: 2014/11/19 00:26:22
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 02:03:47 (permalink)
    0
    Apologies if I'm suggesting stuff you've already done but is Compliance via SSL VPN actually enabled on the FortiGate?
     
    To enable endpoint registration on the SSL-VPN
    Go to  SSL-VPN Settings > VPN > SSL-VPN Settings.In Tunnel Mode Client Settings, make sure Allow Endpoint Registration is enabled.Select Apply.Go to  Interfaces > Network > Interfaces and edit the ssl.root interface.In Admission Control, enable FortiTelemetry.
    Optionally, you can also enable Enforce FortiClient Telemetry for all FortiClients. This forces endpoints to register with FortiClient before they have network access.Select OK.This procedure does not include all settings needed to configure a working SSL-VPN.
    #5
    Maarten87
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/12 05:29:54
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 02:08:47 (permalink)
    0
    Hi Steve,
    This is all configured properly. Just checked. We do have people who connect fine and stay connected for a longer time. On the other hand, we also have people who can't connect with previously stated issues.
    To note. Everyone is running FortiClient 6.0.3 as it is deployed to them.
    post edited by Maarten87 - 2019/03/13 02:12:12
    #6
    SteveG
    Gold Member
    • Total Posts : 176
    • Scores: 12
    • Reward points: 0
    • Joined: 2014/11/19 00:26:22
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 02:18:49 (permalink)
    0
    Incidentally we had some web filtering related issues that were introduced in 6.0.3 which were fixed in 6.0.5 and we don't even use web filtering! Perhaps give 6.0.5 a try on a test machine. There is also a critical vuln in 6.0.3 that's fixed in .5
    #7
    Maarten87
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/12 05:29:54
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 02:37:59 (permalink)
    0
    Hi Steve,
     
    Since the crit vuln. is fixed in 0.5, it will be good for us to update all the clients. I did test 0.5 for these specific issues already though. For one user it did solve it, for the other user it didn't. The user where the update did not fix the issue, came in the office the next day, stating that the vpn worked in the evening from home. I updated it in the morning.
    Its really difficult to identify the issue, as clients with problems one day, work the other day and decide to not work the day after again. on the other hand, some clients have no issues at all.
    I will test FortiClient 6.0.5 though and see if this one gives more stability.
    #8
    SteveG
    Gold Member
    • Total Posts : 176
    • Scores: 12
    • Reward points: 0
    • Joined: 2014/11/19 00:26:22
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 02:53:17 (permalink)
    0
    You seeing this on both MacOS and Windows?
    #9
    Maarten87
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/12 05:29:54
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 02:57:21 (permalink)
    0
    Currently we have no MacOS devices where the FortiClient is installed on.
    All our devices are HP Laptops running Windows 7 Professional 64 Bit. We do have around 4 to 5 machines running on Windows 10 Pro 64 bit.
    #10
    SteveG
    Gold Member
    • Total Posts : 176
    • Scores: 12
    • Reward points: 0
    • Joined: 2014/11/19 00:26:22
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 02:58:19 (permalink)
    0
    Not sure what else to suggest, personally I'd raise a support ticket with Fortinet at this point.
    #11
    Maarten87
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/12 05:29:54
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 03:01:04 (permalink)
    0
    We have also done this already.
    My colleague was on the phone with them for 3 hours. They did some DNS changes, which they reverted back as well.(i assume it did not help, hence the revert)
    In the end they advised us to reinstall Windows on the problematic devices. Which in my opinion, is not a solution.
    Wanted to share it here, incase someone might have seen this before and has a possible solution.
    #12
    SteveG
    Gold Member
    • Total Posts : 176
    • Scores: 12
    • Reward points: 0
    • Joined: 2014/11/19 00:26:22
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 03:18:52 (permalink)
    0
    Re-install Windows! That's a terrible solution, which is very unlikely to work. Do you have any other security software on the PC's that might be blocking FC? Perhaps try a vanilla install of Windows to see if that works.
    #13
    Maarten87
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/12 05:29:54
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 03:33:54 (permalink)
    0
    Hi Steve,
    On the Windows 7 machines we have Kaspersky running as the AV. Again, this runs on all the W7 machines, so the problematic ones, but also some of the good ones. I can try a Clean W7 install without AV, but i won't be able to get passed the compliance check. It is checking if a third party AV is installed. if not, the machine won't be compliant.
    #14
    SteveG
    Gold Member
    • Total Posts : 176
    • Scores: 12
    • Reward points: 0
    • Joined: 2014/11/19 00:26:22
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 03:39:34 (permalink)
    0
    Perhaps try with the AV component of FortiClient enabled, that would be a good test as to whether it's the AV client causing the issue. You'd hope the compliance check would work perfectly when using FortiClient with AV enabled....
    #15
    Maarten87
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/12 05:29:54
    • Status: offline
    Re: FortiClient compliant but no access to data 2019/03/13 03:50:13 (permalink)
    0
    Will need to discuss if we can try this. I don't really have a lab environment too test in, if i change the setting to use Forti AV instead of a third party AV, it will be pushed to everyone i assume. This might raise up more issues.
    #16
    Jump to:
    © 2019 APG vNext Commercial Version 5.5